Muehlenhoff has uploaded a new change for review.
https://gerrit.wikimedia.org/r/282159
Change subject: Manage /etc/pam.d/sshd in role::bastionhost::2fa on via puppet
......................................................................
Manage /etc/pam.d/sshd in role::bastionhost::2fa on via puppet
Manage /etc/pam.d/sshd via puppet; the sshd PAM config needs to be extended
to support yubico 2fa in a subsequent commit. I checked whether that could
also be achieved with pam-auth-update, but it seems it only supports
modifying the common-* PAM configs.
Initially perform the 2fa testing on iron (role::bastionhost::2fa), it can
later be extended to the other bastion hosts in a later step.
Change-Id: I2921cd9c7386712b9ddb29872ce750322c57e9b7
---
M modules/role/manifests/bastionhost/2fa.pp
A modules/role/templates/bastionhost/pam-sshd.erb
2 files changed, 64 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/59/282159/1
diff --git a/modules/role/manifests/bastionhost/2fa.pp
b/modules/role/manifests/bastionhost/2fa.pp
index 5de4368..6bd7772 100644
--- a/modules/role/manifests/bastionhost/2fa.pp
+++ b/modules/role/manifests/bastionhost/2fa.pp
@@ -19,4 +19,12 @@
port => 'ssh',
}
+ file { '/etc/pam.d/sshd':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0440',
+ content => template('role/bastionhost/pam-sshd.erb'),
+ require => Package['openssh-server'],
+ }
}
diff --git a/modules/role/templates/bastionhost/pam-sshd.erb
b/modules/role/templates/bastionhost/pam-sshd.erb
new file mode 100644
index 0000000..7405736
--- /dev/null
+++ b/modules/role/templates/bastionhost/pam-sshd.erb
@@ -0,0 +1,56 @@
+# THIS FILE IS MANAGED BY PUPPET
+# PAM configuration for the Secure Shell service
+
+# Standard Un*x authentication.
+@include common-auth
+
+# Disallow non-root logins when /etc/nologin exists.
+account required pam_nologin.so
+
+# Uncomment and edit /etc/security/access.conf if you need to set complex
+# access limits that are hard to express in sshd_config.
+# account required pam_access.so
+
+# Standard Un*x authorization.
+@include common-account
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible that a
+# module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
+
+# Set the loginuid process attribute.
+session required pam_loginuid.so
+
+# Create a new session keyring.
+session optional pam_keyinit.so force revoke
+
+# Standard Un*x session setup and teardown.
+@include common-session
+
+# Print the message of the day upon successful login.
+# This includes a dynamically generated part from /run/motd.dynamic
+# and a static (admin-editable) part from /etc/motd.
+session optional pam_motd.so motd=/run/motd.dynamic
+session optional pam_motd.so noupdate
+
+# Print the status of the user's mailbox upon successful login.
+session optional pam_mail.so standard noenv # [1]
+
+# Set up user limits from /etc/security/limits.conf.
+session required pam_limits.so
+
+# Read environment variables from /etc/environment and
+# /etc/security/pam_env.conf.
+session required pam_env.so # [1]
+# In Debian 4.0 (etch), locale-related environment variables were moved to
+# /etc/default/locale, so read that as well.
+session required pam_env.so user_readenv=1 envfile=/etc/default/locale
+
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context. Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
+
+# Standard Un*x password updating.
+@include common-password
--
To view, visit https://gerrit.wikimedia.org/r/282159
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2921cd9c7386712b9ddb29872ce750322c57e9b7
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
